Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mitigating risks of outsourcing desktop management

From: Adriel Desautels <adriel () netragard com>
Date: Wed, 09 Jul 2008 11:13:25 -0400
Hi David,
        I've read your email quickly and have the following comment.
I'll make a bet with you. If we can hack your provider and gain access to your AD server on their network, then you give me 15% of your businesses revenue for the next year. If you can't make that bet comfortably, then you should not outsource your AD to that provider.
It is my opinion that most hosting providers are *insecure*. I would certainly not trust mission critical systems to those providers without first having their security throughly tested. Specifically, I'd want them to be tested by a security provider that can recreate the real world threat, not just some automated junk. 

        Does that make sense?


Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


David West wrote:

Hello,
Our Operations team are investigating outsourcing the management of
desktops, adds/moves/changes/break-fix etc.

One of the proposals on the table is for a vendor to build/add
desktops to our AD domain off-site at the third parties premises. They
propose to achieve this by extending our AD domain to their premises.
I have a number of concerns with this approach, including; extending
our domain to an uncontrolled environment; policy and procedure
conformance of the third party; access required to add computers to
AD; potential to poison AD; identity management issues, etc. Some of
these concerns can be limited with tight commercial contractual terms,
however I was wondering if anyone can provide insight into how other
enterprises solve this problem? Ie, Somehow provide only a subset of
AD functionality to the third party; policy conformance somehow; or
don't do it at all?

Any advice would be appreciated.

Thanks,

David
Previous By Date Next
Previous By Thread Next

Current thread: